NAT over IPSEC to private network
-
Hi Guys,
I'm looking to achieve a NAT rule over an IPSEC tunnel which will NAT an spare IP address on the Site B network to a private address that is not part of the IPSEC configuration.
Example Configuration:
Site A
(ipsec)192.168.100.0/24Site B
(ipsec)192.168.200.0/24(private/not on ipsec)
172.16.10.0/24We want to configure a NAT rule which NATs 192.168.200.253 to 172.16.10.253. This being accessed from the 192.168.100.0 network.
This will allow the traffic to flow over the IPsec tunnel and provide RDP access to the isolated network.
I have not yet been able to get this working. Any ideas?
-
@Matt_Sharpe
At B add a phase 2 or copy the existing one and state these settings:
Local Network: Address > 172.16.10.253
NAT/BINAT translation: Address > 192.168.200.253
Remote Network: Network > 192.168.100.0/24Move this p2 to the top of the p2 set.
-
@viragomann I've already tried this, it doesn't work and causes issues with the other P2 tunnel.
The ranges above are an example, but the real range is a /16 range and the P2 disconnects for the 2nd tunnel in the list...
-
@Matt_Sharpe
Yes, that doesn't work on all devices. If both are pfSense it should, if not this is probably the wrong place to ask for support.However, maybe the logs gives hints, what's going wrong with these settings.
-
@viragomann It is not PFsense on both sides. However considering the NAT required is happening on the target side which is a PFsense. I assume this is the best place to ask :)
We had this working previously with a simple DNAT rule on our old NSX edge, but doesn't appear to work on PFsense.
-
@Matt_Sharpe said in NAT over IPSEC to private network:
It is not PFsense on both sides. However considering the NAT required is happening on the target side which is a PFsense. I assume this is the best place to ask :)
But the other site doesn't accept the multiple phase 2, as it knows only one, I guess.
Again, check the logs to find out, what's wrong.